GHSA-c2h6-7gm8-cv4w

Source

https://github.com/advisories/GHSA-c2h6-7gm8-cv4w

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/04/GHSA-c2h6-7gm8-cv4w/GHSA-c2h6-7gm8-cv4w.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-c2h6-7gm8-cv4w

Aliases

CVE-2020-5497

Published

2020-04-01T16:35:44Z

Modified

2023-11-08T04:03:55.956159Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

XSS in MITREid Connect

Details

The OpenID Connect reference implementation for MITREid Connect through 1.3.3 allows XSS due to userInfoJson being included in the page unsanitized. This is related to header.tag. The issue can be exploited to execute arbitrary JavaScript.

Database specific

{
    "nvd_published_at": "2020-01-04T03:15:00Z",
    "github_reviewed_at": "2020-04-01T16:02:47Z",
    "severity": "MODERATE",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-79"
    ]
}

References

Affected packages

Maven / org.mitre:openid-connect-server

Package

Name: org.mitre:openid-connect-server; View open source insights on deps.dev
Purl: pkg:maven/org.mitre/openid-connect-server

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

1.3.3

Affected versions

0.*

0.9.0

0.9.1

0.9.2

0.9.3

1.*

1.0.0

1.0.1

1.0.2

1.0.3

1.0.4

1.0.5

1.0.6

1.0.7

1.0.8

1.0.9

1.0.10

1.0.11

1.0.12

1.0.13

1.0.14

1.0.15

1.0.16

1.0.17

1.0.18

1.0.19

1.0.20

1.0.21

1.0.22

1.1.0

1.1.1

1.1.2

1.1.3

1.1.4

1.1.5

1.1.6

1.1.7

1.1.8

1.1.9

1.1.10

1.1.11

1.1.12

1.1.13

1.1.14

1.1.15

1.1.16

1.1.17

1.1.18

1.1.19

1.2.0-RC1

1.2.0-RC2

1.2.0

1.2.1

1.2.2

1.2.3

1.2.4

1.2.5

1.2.6

1.3.0-RC1

1.3.0-RC2

1.3.0

1.3.1

1.3.2

1.3.3